Here We Go Again: Vendor Cybersecurity Breaches Keep Wreaking Havoc

Another day, another third-party data breach. Actually, two of them.

Earlier this month we learned that data from at least 6 million Verizon Wireless users was leaked online, including phone numbers, names, and PIN numbers to access accounts. Cybersecurity firm UpGuard discovered the leak, which was caused by NICE Systems, a vendor Verizon Wireless was using to manage customer service phone calls. Ironically, the software company bills itself as a firm that helps companies, including financial institutions, “ensure compliance and fight financial crime.”

The source of the problem, according to CNN, was an Amazon S3 storage server that was set to public instead of private. Anyone with a link could access data on the server until the problem was fixed—more than a week after it was discovered.

How often do mistakes like this result in breaches? The 2017 Verizon Data Breach Investigations Report found that errors are responsible for 14 percent of cybersecurity breaches and that 27 percent of breaches are discovered by third parties.

Our second incident comes courtesy of some of the most high-end hotel chains in the country, including Four Seasons, Trump Hotels, Hard Rock Hotels & Casinos and Loews Hotels. Guest data, including credit card and contract information, was exposed for about eight months.

The common thread the hotels shared: Sabre Hospitality Solutions SynXis Central Reservation system. More than 36,000 properties use the system.

Sabre owned up to the issues in the company’s quarterly SEC filing in May, mentioning “unauthorized access to payment information contained in a subset of hotel reservations.” Now hotels are informing guests that their information may have been stolen.

How vigilant is your institution when it comes to vendors? The Verizon Report reports that 24 percent of cybersecurity breaches affect financial organizations. More than half of victims have fewer than 1,000 employees. Vendors are often targeted instead of the institution itself if it’s viewed as having potentially weaker security, the report notes, calling some “a soft target useful as a stepping stone to their partners’ systems.”

Are your vendors training their staff to be on guard for phishing emails? Are they keeping their systems up to date with patched and updates? Do they monitor employee data use? Are they on top of the latest threats? Do they carefully follow detailed policies and procedures?

A good vendor management program will ensure that vendors tell you all this and more, helping you put the controls in place to prevent your institution from making the next headline.